Register for your free account! | Forgot your password?

Go Back   elitepvpers > General Gaming > General Gaming Discussion
You last visited: Today at 12:36

  • Please register to post and access all features, it's quick, easy and FREE!

 

[Release] Packet encryption / structure

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Oct 2006
Posts: 225
Received Thanks: 207
[Release] Packet encryption / structure



=============================================
========= FANTASY TENNIS PACKET SYSTEM ========
============== by AnotherCoder ==============
=============================================


1. ENCRYPTION
2. PACKET STRUCTURE


Code:
[COLOR="Navy"]for(int i = 0; i < packet_size; i++)
{
    decrypted_packet[i] = encrypted_packet[i] ^ XOR_Table[(i&3)];
}
1. ENCRYPTION

The packet encryption of Fantasy Tennis is very simple, it is just a normal XOR encryption.
If you do not know what a XOR encryption is, or how to use it in your programming language,
look it up.
Here are some nice explanations: 
Exclusive or - Wikipedia, the free encyclopedia
Bitwise operation - Wikipedia, the free encyclopedia

I will not go any further into explaining what XOR is because most programmers have already used it,
and if you do not know what it is then I am sure that you will not understand anything of this thread anyway.
Okay so let us continue.

Fantasy Tennis uses a 4-byte XOR-table to encrypt their packets here is an example of how it works:

So let us say this is our encrypted packet buffer: 
{c6 89 7c 39 d3 9d 78}

and this is our XOR-table:
{a3, f1, 1d, 54}

then you have to decrypt the buffer like this:

c6 XOR a3 = 65
89 XOR f1 = 78
7c XOR 1d = 61
39 XOR 54 = 6d
d3 XOR a3 = 70
9d XOR f1 = 6c
78 XOR 1d = 65

the decrypted packet would be:

HEX: {65 78 61 6d 70 6c 65}
ASCII: example

packet[0] XOR table[0], packet[1] XOR table[1], packet[2] XOR table[2], 
packet[3] XOR table[3], packet[4] XOR table[0], packet[5] XOR table[1] ...

I hope you get what I mean  you use the first byte of the table to decrypt the first byte of the packet, then the second byte of the table to decrypt the second byte of the packet...and the fourth byte of the table to decrypt the fourth byte of the packet AND THEN the first byte of the table again, to decrypt the fifth byte of the packet and so on.

a C/C++ implementation would be:

that is all? Yes this is enough to decrypt the packets.

So you might be wondering, uhh? Where do I get the XOR-table from? Well good question.
Once you connect to a Fantasy Tennis server, regardless of whether it is a login or a gameserver, the server sends you an unencrypted packet which contains the XOR-tables. Tables? Yes 1 table for send and 1 table for recv

I will give you an example, so well give me a few seconds to start FantasyTennis...
Ok this is the packet that I received:

00 00 00 00 9A FF 10 00 B8 35 14 9F F6 BA 09 78 04 00 00 00 00 00 00 00

B8 35 14 9F <- send XOR-table
F6 BA 09 78 <- recv XOR-table

after I received this packet from the server, the client sent this packet:

AA 67 5F 98 19 3A 03 9F D9 35 75 9F D9 35 75 9F D9 35 14 9F D9 54 75 FE D9 35 82 3F C9 37 14

So let us try to decrypt it with the XOR-table we have got:

Code:
[COLOR="Navy"]	unsigned char packet[] = {[COLOR="DarkRed"]0xAA, 0x67, 0x5F, 0x98, 0x19, 0x3A, 0x03, 0x9F, 0xD9, 0x35, 0x75, 0x9F, 0xD9, 0x35, 0x75, 0x9F, 0xD9, 0x35, 0x14, 0x9F, 0xD9, 0x54, 0x75, 0xFE, 0xD9, 0x35, 0x82, 0x3F, 0xC9, 0x37, 0x14[/COLOR]};
	unsigned char xor[] = {[COLOR="RoyalBlue"]0xB8, 0x35, 0x14, 0x9F[/COLOR]};

	for(int i = 0; i < 31; i++)
	{
		printf("%02x ", packet[i]^xor[(i&3)]);
	}[/COLOR]
Output: 12 52 4b 07 a1 0f 17 00 61 00 61 00 61 00 61 00 61 00 00 00 61 61 61 61 61 00 96 a0 71 02 00
ASCII : ↕ R K í ☼ ↨ a a a a a a a a a a û á q ☻

I logged in with aaaaa aaaaa, so yeah it worked the packet is decrypted, nice done.



2. PACKET STRUCTURE

2bytes [header1]
2bytes [header2]
2bytes [packetId]
2bytes [data_size]
x bytes [data] x = data_size

Example: Let us use the login packet from above

12 52 4b 07 a1 0f 17 00 61 00 61 00 61 00 61 00 61 00 00 00 61 61 61 61 61 00 96 a0 71 02 00


That is all you can now decrypt and encrypt the packets from send / recv and should be able to unterstand their structure.
You cannot edit or send your own packets yet because header1 and header2 differ between each packet and has to be built by yourself.

I will show you how to do that if this thread attracts enough skilled programmers who know what they do

and do not forget to press the thanks button
[/COLOR]

ZeroTen / AnotherCoder



ZeroTen is offline  
Thanks
16 Users
Old   #2
 
elite*gold: 0
Join Date: Dec 2009
Posts: 1,204
Received Thanks: 291
Goob job. Mal sehen, ob es irgendwer versteht. Bezweifle ich ;D

@off topic kurz
wie weit bist du mit pserver? kann dir keine pn schreiben --> voll


EDIT:
Quote:
Originally Posted by ZeroTen View Post
a C/C++ implementation would be:

Code:
[COLOR="Navy"]for(int i = 0; i < packet_size; i++)
{
    decrypted_packet[i] = encrypted_packet[i] ^ XOR_Table[(i&3)];
}[/COLOR]
For the VB Users this would be:
Code:
[COLOR="Blue"]For i As Integer = 0 To packet_size - 1
	decrypted_packet(i) = encrypted_packet(i) Xor XOR_Table((i And 3))
Next[/COLOR]


NikeAlex2 is offline  
Old   #3
 
elite*gold: 0
Join Date: Jul 2009
Posts: 1,097
Received Thanks: 389
lol my poor head,i dont understand this language @[email protected] but however i give you a thank @[email protected]
†[Dr.±Stein]† is offline  
Old   #4
 
elite*gold: 0
Join Date: Apr 2009
Posts: 210
Received Thanks: 26
Die, die es brauchen, werden es schon verstehen ;D
Hätte nie gedacht das es trotzdem so simple ist xD
Mich interesiert auch was nun mim Server ist =/

ps. deinen Thanks haste !


Dakaj is offline  
Old   #5
 
elite*gold: 0
Join Date: Dec 2009
Posts: 1,204
Received Thanks: 291
Hoffentlich schaut Zero hier noch rein.

Naja der Grundstein ist simple. Das wird aber schon noch schwieriger
NikeAlex2 is offline  
Old   #6
 
elite*gold: 0
Join Date: Jul 2010
Posts: 63
Received Thanks: 64
Working...
Slaeghtor is offline  
Old   #7
 
elite*gold: 18
Join Date: Aug 2008
Posts: 1,360
Received Thanks: 150
Quote:
Originally Posted by deforever View Post
lol my poor head,i dont understand this language @[email protected] but however i give you a thank @[email protected]
This language is english
But i think you don't understand how this work


Un nein ich raffs auch nich, aber ich lass es lieber bevor ich hier dumme fragen stelle ô.o
Fusel. is offline  
Old   #8
 
elite*gold: 0
Join Date: Oct 2009
Posts: 759
Received Thanks: 537
Quote:
Originally Posted by ZeroTen View Post
c6 XOR a3 = 65
89 XOR f1 = 78
7c XOR 1d = 61
39 XOR 54 = 6d
d3 XOR a1 = 70
9d XOR f1 = 6c
78 XOR 1d = 65
By your xor table it should be

d3 XOR a3 = 70

Though, well done. Private servers can now raise up .

Possible implementation of Fantasy Tennis cryptography (C#):
PHP Code:
using System;

namespace 
FantasyTennis.Networking
{
    public static class 
Cryptography
    
{
        private static 
byte[] Keys = new byte[] { 0xa30xf10x1d0x54 };

        public static 
void Encrypt(byte[] buffer)
        {
            if(
buffer == null || buffer.Length == 0)
                return;
            for (
int count 0count buffer.Lengthcount++)
                
buffer[count] ^= Keys[count 4];
        }
        public static 
void Decrypt(byte[] buffer)
        {
            
Encrypt(buffer);
        }
    }

Also, I believe that the first 4 bytes sent in any packet are actually the time(timeGetTime). I'll do some research and update.
-impulse- is offline  
Old   #9
 
elite*gold: 0
Join Date: Oct 2006
Posts: 225
Received Thanks: 207
Quote:
Originally Posted by -impulse- View Post
By your xor table it should be

d3 XOR a3 = 70
Yeah you are right, I fixxed that, thanks.

Quote:
Originally Posted by -impulse- View Post
Also, I believe that the first 4 bytes sent in any packet are actually the time(timeGetTime). I'll do some research and update.
No it's not
They build the first 2 bytes and the next 2 bytes in 2 different ways, they use a table and the data of the packet to build the bytes that is why they add the first 4 bytes at the end when the packet data is already written into the buffer.
ZeroTen is offline  
Old   #10
 
elite*gold: 0
Join Date: Oct 2009
Posts: 759
Received Thanks: 537
Quote:
Originally Posted by ZeroTen View Post
Yeah you are right, I fixxed that, thanks.


No it's not
They build the first 2 bytes and the next 2 bytes in 2 different ways, they use a table and the data of the packet to build the bytes that is why they add the first 4 bytes at the end when the packet data is already written into the buffer.
Well, you know better than I do, so you might be right...
-impulse- is offline  
Old   #11
 
elite*gold: 252
Join Date: Mar 2008
Posts: 3,112
Received Thanks: 3,899
Thank you^^ I think I understand now.. But one question: How can I see these packets?
.Alessa is offline  
Old   #12
 
elite*gold: 0
Join Date: Jun 2008
Posts: 448
Received Thanks: 410
Quote:
Originally Posted by Shannonfan View Post
Thank you^^ I think I understand now.. But one question: How can I see these packets?
Ich weiß nicht was du für Vorkenntnisse hasst, jedoch muss du Send und WSASend hooken und den buffer auslesen.
Bei Recv und WSARecv musst du die Funktion ersst durchlaufen lassen und dann den Buffer auslesen.
Achtung bei Recv und WSARecv ist der Return wert der funktion die length.
Lazeboy is offline  
Old   #13
 
elite*gold: 252
Join Date: Mar 2008
Posts: 3,112
Received Thanks: 3,899
Okay bisher habe ich noch gar keine Kenntnisse.. Wird aber mal Zeit, welche zu bekommen Ich werde mal danach googlen, vielen Dank.

€: Ohje, ob ich da zurecht finde... ich schau mal weiter...
.Alessa is offline  
Old   #14
 
elite*gold: 0
Join Date: Oct 2009
Posts: 759
Received Thanks: 537
Might you people please use English for this thread only? At least this one...it is one I really understand...and it's really useful. I already managed to get to sniffing game server's ips and ports and the auth server(port 5894) sends them in the packet 4112.

Right now, I'm going to write a C# project to cover what I know so far.

I also found out that, every single server uses the exact same encryption.


**
I'd really be very thankful if Lazeboy or ZeroTen would pm me with their msns.

** EDIT
I do it as a proxy as, I can edit the auth server's ip so I make the client connect to my IP, I can then modify whatever comes and goes. When it comes to the part of the game server ports and ips, I modify the packet and set there my IP everywhere, keep the good ips, start listening on the ports I gave to the client, and whenever the client connects to a certain port, I know which ip is the good one to connect to the right game server. BTW, I've know a bug...and it's really awesome!


-impulse- is offline  
Reply



« Previous Thread | Next Thread »

Similar Threads
[Request] Packet Structure for CharData Packet
can someone tell me which structure the CharData packet has? i would really appreciate this, since im still noob in such things. its just too high...
4 Replies - SRO Ask the Experts
How can I check the packet structure?
Hey, We have this packet header database: SEND: 0x00____________ Restore Char 0x01____________ AntiCp 0x02____________ Login...
2 Replies - Kal Online
packet structure
For what I'd like to do, I think packets are the place to start. After that, probably java then C and VB. This is a question for the people here...
16 Replies - CO2 Main - Discussions / Questions



All times are GMT +1. The time now is 12:36.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Abuse
Copyright ©2018 elitepvpers All Rights Reserved.